Regulators voice concerns over cloud risk

Concerns are growing among regulators that an outage or failure at a tech giant that provides outsourced cloud services to a large number of institutions could cascade through the financial system, according to a senior executive from the Federal Reserve Bank of New York.

Regulators acknowledge there is a trade-off between relying on a handful of vendors to provide services that improve institutions’ resilience to shocks on an individual basis – for instance, by enabling workers to ‘remote in’ to systems from home while they are unable to come into the office during the Covid-19 pandemic – versus the risk that an attack on such a firm that could cause outsized disruption to the entire system.

“The vulnerabilities in a third-party provider might plague multiple institutions at once, and that can lead to a very large shock that wouldn’t be possible if we had a more diverse ecosystem of controls and practices,” said Michael Lee, a New York Fed financial economist, during a panel discussion at Risk USA on November 17, where he was speaking in a personal capacity.

The issue of concentration risk has attracted the attention of the Financial Stability Board, which earlier this month issued a discussion paper on outsourcing and third-party relationships. The paper is based on a survey of national supervisors that says systemic risk arising from concentration of services to financial institutions is likely to increase.

While the benefits and cost savings of moving critical operations to the cloud are compelling, operational risk executives have long feared an overreliance on the big three service providers – Amazon, Google and Microsoft – could place financial institutions and their customers at risk.

Concentration risk is part of a broader set of outsourcing risks that have arisen since the start of the pandemic, which has caused institutions to reassess the resilience of their third-party suppliers, scrutinising everything from their financial well-being to their ability to switch to other providers, should their primary ones fail.

“You have an ecosystem of third parties we all tend to use, and that leads to concentration risk. Almost all of us have a significant reliance on one of the top three large service providers: Amazon, Google and Microsoft. That’s where we start seeing concentration risk,” said Mandar Rege, managing director of operational risk management, technology and cyber security at Citi, during the same panel discussion.

Regulators have noted that as larger numbers of financial institutions migrate to the cloud, a small number of service providers could represent a single point of failure and therefore pose systemic risks.

The Bank of England, in a 2019 report, suggested that cloud providers should be regulated. It called on the Prudential Regulation Authority “to engage with service providers directly to ensure they meet supervisory expectations”, and assess third-party risk management at the individual firm level, such as service level agreements and fallback arrangements.

“Most banks use AWS [Amazon Web Services], and some are very reliant. This creates a huge concentration risk for regulators. I would not be surprised to see a systemic label applied to a select number of vendors like Amazon,” says Evan Sekeris, head of model validation at PNC Financial Services Group, and a former Fed regulator.